By your argument, everyone using string templating for HTML has bad/nonexistent web security. I disagree.

Not everyone, just the people whose pages display untrusted inputs. Which is a huge fraction of the modern web...

(The rest just have brittle websites that might break when someone uses certain punctuation for the first time.)

Ah okay I see now you were referring to failure to sanitize inputs/outputs in the original comment. I don't know if this oversight occurs more often when using string templating, but I'm pretty sure this was already a problem long before string templating came into practice.

It's literally the reason why HTML templating is done with other means than string concatenation, these days.

Isn't that why server side validation exists? What's wrong with letting the user enter whatever they want? It doesn't mean it has to be accepted.

Validation can force usernames to be a-z but it doesn't work on freeform text. Forum comments should be able to state that the HTML open comment syntax is <!--

Not really. Lots of template engines escape and/or sanitize interpolated expressions, according to the context, by default.

Well that goes far beyond what I think of as "string templates", now you're parsing the string into HTML.